North Carolina Security Breach Reporting Form 
Pursuant to the Identity Theft Protection Act of 2005 

*Indicated a mandatory field 

*Name of the Company or Government Agency owning or licensing information affected by the entity experiencing 
breach: 

HARRIS BEACH PLLC 


Entity Type: 
Address: 

Apt/ Suite/Building: 
City: 

State: 

Zip Code: 
Telephone: 

Fax: 

Email: 


GENERAE BUSINESS 
99 GARNSEY ROAD 

PITTSFORD 

NY 

14534 

(585) 419-8708 

DRUSSEEE@HARRISBEACH.COM 


*Date Security breach Reporting Form Submitted: 
Is this notice a supplement to a previously filed 
Security Breach: 

*Date the Security Breach was discovered: 

Breach Type: 

*Estimated number of affected individuals: 
*Estimated number of NC residents affected: 


09/14/2018 

NO 

07/12/2018 

HACKERS/ UNAUTHORIZED ACCESS 
74 
1 


Name of company or government agency maintaining or possessing information that was the subject of 
the Security Breach, if the agency that experienced the Security Breach is not the same entity as the 
agency reporting the Security Breach (pursuant to N.C.G.S. 75-65(b)) 


Describe the AN UNAUTHORIZED INDIVIDUAE ACCESSED A MAIEBOX OWNED BY 
circumstances HARRIS BEACH USING COMPROMISED CREDENTIAES. 
surrounding the 
Security Breach: 

Information Type: SSN 


*Regarding YES 

information 

breached, if 

electronic, was the 

information 

protected in some 

manner: 

If YES, please THE INFORMATION IS ENCRYPTED AT REST AND IN TRANSIT, 

describe the HOWEVER, THE BAD ACTOR HAD COMPROMISED CREDENTIAES 

security measures AEEOWING ACCESS TO THE ENCRYPTED MAIEBOX. 



protecting the 
information: 


*Describe any 
measures taken to 
prevent a similar 
Security Breach 
from occurring in 
the future: 


HARRIS BEACH IS IMPLEMENTING TWO-FACTOR AUTHENTICATION 
FOR ACCESS TO MAILBOXES FROM A REMOTE LOCATION. 


*Date affected NC 09/13/2018 
residents were/will 
be notified: 


Describe the circumstances surrounding the delay in notifying 
affected NC residents pursuant to N.C.G.S. 75-65 (a) and (c): 


If the delay was pursuant to a request from law enforcement pursuant to N.C.G.S. 75-65(c), please 
attach or mail the written request or the contemporaneous memorandum. 

How NC residents WRITTEN NOTICE 

were/will be 

notified? (pursuant 

to N.C.G.S. 75-65 

(e)): 

Please note if the business demonstrates that the cost of providing notice would 
exceed two hundred fifty thousand dollars ($250,000) or that the affected class of 
subject persons to be notified exceeds 500,000, or if the business does not have 
sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of 
this subsection, for only those affected persons without sufficient contact 
information or consent, or if the business is unable to identify particular affected 
persons, for only those unidentifiable affected persons. Substitute notice shall 
consist of all the following: 

• Email notice when the business has an electronic mail address for the 
subject persons 

• Conspicuous posting of the notice on the Web site page of the business, if 
one is maintained 

• Notification to major statewide media 


Please attach a copy of the notice if in written form or a copy of any scripted notice if in telephonic 
form. 

Contact Information SAME AS ABOVE 
Affiliation with entity 
experiencing breach: 


Organization Name: 


HARRIS BEACH PLLC 



Prefix: 


MRS 


*F irst N ame: DAWN 


Middle Name: 
*Last Name: 
Suffix: 

Title: 

Address: 

Apt/ Suite/building: 
City: 

State: 

*Telephone: 

Email: 


M. 

RUSSELL 

DIRECTOR OF COMPLIANCE AND RISK MANAGEMENT 
99 GARNSEY ROAD 

PITTSFORD 

NY Zip Code: 14534 

(585) 419-8708 Fax: 

DRUSSELL@HARRISBEACH.COM 



HARRIS BEACH 

Attorneys at Law 

September 13, 2018 99 garnsey road 

PITTSFORD, NY 14534 
(585)419-8800 

Dawn M. Russell 

Director of Compliance and Risk 

Management 

Direct: (585)419-8708 

Fax: (585)419-8801 

drussell@HarrisBeach.com 


Re: Data breach at Harris Beach where your name and Social Security Number could 

have possibly been accessed. 

Dear : 

On July 9, 2018, an unauthorized individual accessed the emails of one of our attorneys. As 
soon as the breach was discovered, we reviewed the contents of those emails to learn what 
information, if any, could have been exposed, and then hired a computer forensics expert to 
investigate the crime and verify our conclusions. The expert believes that the hacker was 
attempting to use the email account to deceive other individuals into divulging their passwords - 
and not in an effort to access the information in the emails. Unfortunately, however, the expert 
advises that the method used to access the email account automatically downloads the entire 
contents of the mail box to the hacker’s personal computer, which makes it possible that the 
hacker still possesses the contents of this mail box and could make use of it in the future. 

Regretfully, in the course of analyzing the mail box, we have learned that one of the emails 
contained your Social Security Number and name. Since we cannot rule out the possibility that 
the hackers may actually look at the emails downloaded, we are informing you of this event so 
that you can monitor your accounts and other personal information for suspicious activities. 
Because this involves your Social Security Number, you should be aware that the typical types of 
crime committed with this information are the filing of fraudulent tax returns claiming a refund 
and fraudulently applying for credit in your name. 

We understand that it can be fmstrating and time-consuming to address these issues. However, 
due to this incident, we are offering identity theft protection services through ID Experts® to 
provide you with MylDCare™. With this protection, MylDCare will help you resolve issues if 
your identity is compromised. We strongly encourage you to register for this free identity theft 
protection service. To enroll please visit https://app.myidcare.com/account-creation/protect or 
call 1-800-939-4170 using your enrollment code, . Enclosed is an information 

sheet ID Experts prepared generally outlining credit monitoring and fraud protection. 

Your 36 month MylDCare membership will include the following: 

Complete Credit Monitoring and Recovery Services 

• Tri-Bureau Credit Monitoring - Monitors any changes reported by Experian, Equifax 
and TransUnion Credit Bureaus to your credit report. 



HARRIS BEACH 

Attorneys at Law 
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• CyberScan Monitoring - Monitors criminal websites, chat rooms, and bulletin boards 
for illegal selling or trading of your personal information. 

• Full Managed ID Theft Restoration Services - Should you believe that you are a victim 
of identity theft, MyIDCare will work with you to assess, stop, and reverse identity theft 
issues. 

• Identity Theft Insurance - In the event of a confirmed identity theft, you may be eligible 
for reimbursement of up to $1,000,000 for expenses related to that theft. 

Again, we regret that this crime against our firm has involved your information as well. If you 
have any questions or concerns, please don’t hesitate to contact me at the phone number or email 
address above. 


Sincerely, 


DR 

Enclosure 


Dawn M. Russell 

Director of Compliance and Risk 

Management 



MyIDCare' 

Recommended Steps to help Protect your Information 

Please Note: Minors, under the age of 18, should not have a credit history established and 
are under the age to secure credit. Therefore, credit monitoring may not he applicable at 
this time for them. All other services provided in the membership will apply. No one is 
allowed to place a fraud alert on your credit report except you, please follow the 
instructions below to place the alert, 

1, Website and Enrollment, Go to https://app.mvidcare.com/account-creation/protect and 
follow the instmctions for enrollment using your Enrollment Code provided above. Once you 
have completed your enrollment, you will receive a welcome letter by email (or by mail if you 
do not provide an email address when you sign up). The welcome letter will direct you to the 
MyIDCare Member Website where you will find other valuable educational information. 

2, Activate the credit monitoring provided as part of your MyIDCare membership. Credit and 
CyberScan Monitoring are included in the membership, but you must personally activate it for it 
to be effective. Note: You must have established credit and access to a computer and the internet 
to use this service. If you need assistance, MyIDCare will be able to assist you. 

3, Review your credit reports. We recommend that you remain vigilant by reviewing account 
statements and monitoring credit reports. Under federal law, you also are entitled every 12 
months to one free copy of your credit report from each of the three major credit reporting 
companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 1- 
877-322-8228. You may wish to stagger your requests so that you receive a free report by one of 
the three credit bureaus every four months. 

If you discover any suspicious items and have enrolled in MyIDCare, notify them immediately 
by calling or by visiting their Member website and filing a theft report. 

If you file a theft report with MyIDCare, you will be contacted by a member of our ID Care team 
who will help you determine the cause of the suspicious items. In the unlikely event that you fall 
victim to identity theft as a consequence of this incident, you will be assigned an ID Care 
Specialist who will work on your behalf to identify, stop and reverse the damage quickly. 

You should also know that you have the right to file a police report if you ever experience 
identity fraud. Please note that in order to file a crime report or incident report with law 
enforcement for identity theft, you will likely need to provide some kind of proof that you have 
been a victim. A police report is often required to dispute fraudulent items. You can report 
suspected incidents of identity theft to local law enforcement or to the Attorney General. 

4, Place Fraud Alerts with the three credit bureaus. If you choose to place a fraud alert, we 
recommend you do this after activating your credit monitoring. You can place a fraud alert at one 
of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud 





alert tells creditors to follow certain procedures, including contacting you, before they open any 
new accounts or change your existing accounts. For that reason, placing a fraud alert can protect 
you, but also may delay you when you seek to obtain credit. The contact information for all three 
bureaus is as follows: 


Credit Bureaus 


Equifax Fraud Reporting 
1-866-349-5191 
P.O. Box 105069 
Atlanta, GA 30348-5069 
www.alerts.equifax.com 


Experian Fraud Reporting 
1-888-397-3742 
P.O.Box 9554 
Allen, TX 75013 
www.experian.com 


TransUnion Fraud Reporting 

1-800-680-7289 

P.O. Box 2000 

Chester, PA 19022-2000 

www.transunion.com 


It is necessary to contact only ONE of these bureaus and use only ONE of these methods. As 
soon as one of the three bureaus confirms your fraud alert, the others are notified to place alerts 
on their records as well. You will receive confirmation letters in the mail and will then be able to 
order all three credit reports, free of charge, for your review. 


5, Security Freeze, By placing a security freeze, someone who fraudulently acquires your 
personal identifying information will not be able to use that information to open new accounts or 
borrow money in your name. You will need to contact the three national credit reporting bureaus 
listed above in writing to place the freeze. Keep in mind that when you place the freeze, you will 
not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily 
lift or permanently remove the freeze. The cost of placing the freeze varies by the state you live 
in and for each credit reporting bureau. The Credit Bureau may charge a fee of up to $5.00 to 
place a freeze, lift, or remove a freeze. However, if you are a victim of identity theft and have 
filed a report with your local law enforcement agency or submitted an ID Theft Complaint Form 
with the Federal Trade Commission, there may be no charge to place the freeze. 


6. You can obtain additional information about the steps you can take to avoid identity theft 
from the following agency. 


Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW 
Washington, DC 20580, https://www.consumer.ftc.gov/ , 1-877-IDTHEFr (438-4338), 1-866- 
653-4261 (TTY) 






HARRIS BEACH ^ 

Attorneys at Law 

September 14, 2018 99 garnsey road 

PITTSFORD, NY 14534 
(585)419-8800 

Dawn M. Russell 

Director of Compliance and Risk 

Management 

Direct: (585)419-8708 

Fax: (585)419-8801 

drussell@HarrisBeach.com 


Re: Data breach at Harris Beach where your name and Social Security Number could 

have possibly been accessed. 

Dear : 

You received notice from us regarding a breach of your personal information. Please be advised, 
that in addition to the information previously provided, you can also obtain additional 
information about the steps you can take to avoid identity theft from the following agency. 

North Carolina Attorney General's Office 
Consumer Protection Division 
9001 Mail Service Center 
Raleigh, NC 27699-9001 

877-5-NO-SCAM (Toll-free within North Carohna) 

919-716-6000 

www.ncdoj.gov 


Sincerely, 


DR 


Dawn M. Russell 

Director of Compliance and Risk 

Management 



